Support Article
Failed to bind to directory with bind information: Handshake err
SA-45483
Summary
User while upgrading LDAP server to use SSL getting issues when trying to connect to Pega.
Error Messages
PegaRULES log:
Failed to bind to directory using bind information. Is the distinguished name similar to "cn=Admin"? javax.naming.CommunicationException: simple bind failed: ab-ldap-cd.efgh.ijk.lm:636 [Root exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]
...
Server debug log:
[6/09/17 11:29:47:888 EST] 00000236 SystemOut O WebContainer : 1, READ: SSLv3 Alert, length = 2
[6/09/17 11:29:47:888 EST] 00000236 SystemOut O WebContainer : 1, RECV TLSv1 ALERT: fatal, handshake_failure
[6/09/17 11:29:47:889 EST] 00000236 SystemOut O WebContainer : 1, called closeSocket()
[6/09/17 11:29:47:889 EST] 00000236 SystemOut O WebContainer : 1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
[6/09/17 11:29:47:891 EST] 000000af SystemOut O 2017-09-06 11:29:47,891 [ WebContainer : 1] [TABTHREAD1] [ ] [ PegaRULES:07.10] (.Data_Admin_AuthService.Action) ERROR xx-xx-pega01|123.12.xxx [email protected] - Data-Admin-AuthService WebLDAP1: Failed to create directory context anonymously. Anonymous bind may not be supported. CONTINUING TEST... javax.naming.CommunicationException: anonymous bind failed: ab-abcd-ef.ghij.klm.no:636 [Root exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]
[6/09/17 11:29:47:892 EST] 00000236 SystemOut O adding as trusted cert:
...
Steps to Reproduce
Navigate to Record > SysAdmin > Create > SysAdmin > Authentication Services.
Root Cause
A defect in Pegasystems’ code or rules:
User is getting SSLHandshakeException when connecting to LDAP directory server from Pega client as it is not able to downgrade or upgrade SSL protocol version.
Resolution
Perform the following local-change:
1. Override the pySSLProtocol value by hardcoding it to "TLSv1.2"
(Or)
Read from the RASS setting for protocol version in this way "@getRuleSystemSetting("Pega-IntegrationArchitect", "pyLowestAllowableTLSVersion")" in the pyDefault Data Transform of ‘Data-Admin-AuthService’ class as it is available.
2. Create new Authenticate Service Rule and Test Connectivity.
Published March 8, 2018 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.